On Wed, Oct 03, 2012 at 04:35:59PM -0500, I wrote:
> On Wed, Oct 03, 2012 at 04:26:33PM -0400, Wietse Venema wrote:
> > Bill Cole:
> > > ; <<>> DiG 9.9.1-P3 <<>> dfleur.com mx
> > > ;; global options: +cmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41183
> >
> > How will I reproduce this quickly?
>
> Comcast owns dnssec-failed.org, a zone set up with deliberately
> broken DNSSEC. If your nameserver is verifying signatures, you will
> get a SERVFAIL for any names in that zone.
450-4.1.8 <r...@dnssec-failed.org>: Sender address rejected: Domain
not found
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, reject_unknown_sender_domain ...
> It's also easy to set up a zone locally to have a SERVFAIL result.
> Probably an invalid zone file is all it takes. Insert a record with
> an out-of-zone owner name.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
